{ "type": "Domain", "indicator": "carversation.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/carversation.com", "alexa": "http://www.alexa.com/siteinfo/carversation.com", "indicator": "carversation.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3661738207, "indicator": "carversation.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69375583aeea809ad44d73cf", "name": "Investigating Indonesias Gambling Ecosystem: Indicators of National-Level Cyber Operations", "description": "Research has uncovered a substantial state-sponsored cybercrime operation in Indonesia that has been active for over 14 years, significantly revolving around illegal gambling activities. This infrastructure, attributed to a sophisticated Advanced Persistent Threat (APT), operates with remarkable resources typical of state-level actors and consists of over 328,000 domains, including 90,125 hacked domains and 236,433 purchased domains. The campaign employs extensive domain hijacking techniques, primarily targeting organizations and government entities across multiple sectors. Indicators of its operations include the use of TLS-terminating reverse proxies to conceal command and control (C2) traffic and facilitate cookie theft on compromised sites.", "modified": "2025-12-08T22:54:05.801000", "created": "2025-12-08T22:47:31.272000", "tags": [ "indonesia", "wordpress", "ip address", "android", "fqdns", "slack", "facebook", "scribd", "exploit", "envato" ], "references": [ "https://www.malanta.ai/blog-posts/investigating-indonesias-gambling-ecosystem-indicators-of-national-level-cyber-operations" ], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia", "United States of America", "Ecuador" ], "malware_families": [ { "id": "Envato", "display_name": "Envato", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" } ], "industries": [ "Manufacturing", "Transport", "Healthcare", "Government", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 466892, "hostname": 5011, "FileHash-MD5": 344, "FileHash-SHA1": 342, "FileHash-SHA256": 15639 }, "indicator_count": 488228, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c7461a9d33336498accc75", "name": "North/Southeast \"Toll Road\" SMS Phishing Scam Extracted IOCs - Lighthouse Phishing Kit", "description": "Extracted indicators from iMessage/RCS spear-phishing messages using urgent tolling violation messages masquerading as legitimate U.S. state-run toll facilities such as E-ZPass/Sunpass/EZDriveMA. Evasion: Cloudflare tunneling; Checks user-agent header strings for mobile indicators--desktop user-agent redirects to 404.", "modified": "2025-04-03T16:01:33.433000", "created": "2025-03-04T18:27:38.845000", "tags": [ "identifying", "phishing", "ezpass", "scam", "toll", "ios", "spearphishing", "sms", "icloud", "phishing kit", "RCS", "lighthouse phishing kit", "phishing-as-a-service", "sunpass", "massdot" ], "references": [ "https://krebsonsecurity.com/2025/01/chinese-innovations-spawn-wave-of-toll-phishing-via-sms/", "https://www.ic3.gov/PSA/2024/PSA240412?os=...&ref=app" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "euphixey", "id": "150938", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_150938/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "FileHash-MD5": 1, "domain": 6748, "hostname": 2 }, "indicator_count": 6755, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "423 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657099644208c92832a9ae92", "name": "those ip's JL v2 all suggested ioc's - Data you got \ud83d\ude1c\ud83e\udd37\u200d\u2640\ufe0f", "description": "", "modified": "2023-12-06T15:55:15.497000", "created": "2023-12-06T15:55:15.497000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4582, "FileHash-SHA256": 2374, "CVE": 5, "domain": 3456, "URL": 14212, "FileHash-MD5": 13, "FileHash-SHA1": 13 }, "indicator_count": 24655, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "643746d7f4010b92e37ace06", "name": "those ip's JL v2 all suggested ioc's - Data you got \ud83d\ude1c\ud83e\udd37\u200d\u2640\ufe0f", "description": "", "modified": "2023-04-13T00:03:35.384000", "created": "2023-04-13T00:03:35.384000", "tags": [], "references": [ "g4991d86fdf3941e589ac92d5848b9f8d260d7afe5e9f47839d69fe03b34b062e.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14212, "FileHash-SHA256": 2374, "hostname": 4582, "domain": 3456, "CVE": 5, "IPv4": 311, "FileHash-MD5": 13, "FileHash-SHA1": 13 }, "indicator_count": 24966, "is_author": false, "is_subscribing": null, "subscriber_count": 94, "modified_text": "1145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.ic3.gov/PSA/2024/PSA240412?os=...&ref=app", "https://www.malanta.ai/blog-posts/investigating-indonesias-gambling-ecosystem-indicators-of-national-level-cyber-operations", "https://krebsonsecurity.com/2025/01/chinese-innovations-spawn-wave-of-toll-phishing-via-sms/", "g4991d86fdf3941e589ac92d5848b9f8d260d7afe5e9f47839d69fe03b34b062e.json" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Envato" ], "industries": [ "Education", "Government", "Manufacturing", "Healthcare", "Transport" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69375583aeea809ad44d73cf", "name": "Investigating Indonesias Gambling Ecosystem: Indicators of National-Level Cyber Operations", "description": "Research has uncovered a substantial state-sponsored cybercrime operation in Indonesia that has been active for over 14 years, significantly revolving around illegal gambling activities. This infrastructure, attributed to a sophisticated Advanced Persistent Threat (APT), operates with remarkable resources typical of state-level actors and consists of over 328,000 domains, including 90,125 hacked domains and 236,433 purchased domains. The campaign employs extensive domain hijacking techniques, primarily targeting organizations and government entities across multiple sectors. Indicators of its operations include the use of TLS-terminating reverse proxies to conceal command and control (C2) traffic and facilitate cookie theft on compromised sites.", "modified": "2025-12-08T22:54:05.801000", "created": "2025-12-08T22:47:31.272000", "tags": [ "indonesia", "wordpress", "ip address", "android", "fqdns", "slack", "facebook", "scribd", "exploit", "envato" ], "references": [ "https://www.malanta.ai/blog-posts/investigating-indonesias-gambling-ecosystem-indicators-of-national-level-cyber-operations" ], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia", "United States of America", "Ecuador" ], "malware_families": [ { "id": "Envato", "display_name": "Envato", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" } ], "industries": [ "Manufacturing", "Transport", "Healthcare", "Government", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 466892, "hostname": 5011, "FileHash-MD5": 344, "FileHash-SHA1": 342, "FileHash-SHA256": 15639 }, "indicator_count": 488228, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c7461a9d33336498accc75", "name": "North/Southeast \"Toll Road\" SMS Phishing Scam Extracted IOCs - Lighthouse Phishing Kit", "description": "Extracted indicators from iMessage/RCS spear-phishing messages using urgent tolling violation messages masquerading as legitimate U.S. state-run toll facilities such as E-ZPass/Sunpass/EZDriveMA. Evasion: Cloudflare tunneling; Checks user-agent header strings for mobile indicators--desktop user-agent redirects to 404.", "modified": "2025-04-03T16:01:33.433000", "created": "2025-03-04T18:27:38.845000", "tags": [ "identifying", "phishing", "ezpass", "scam", "toll", "ios", "spearphishing", "sms", "icloud", "phishing kit", "RCS", "lighthouse phishing kit", "phishing-as-a-service", "sunpass", "massdot" ], "references": [ "https://krebsonsecurity.com/2025/01/chinese-innovations-spawn-wave-of-toll-phishing-via-sms/", "https://www.ic3.gov/PSA/2024/PSA240412?os=...&ref=app" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "euphixey", "id": "150938", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_150938/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "FileHash-MD5": 1, "domain": 6748, "hostname": 2 }, "indicator_count": 6755, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "423 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657099644208c92832a9ae92", "name": "those ip's JL v2 all suggested ioc's - Data you got \ud83d\ude1c\ud83e\udd37\u200d\u2640\ufe0f", "description": "", "modified": "2023-12-06T15:55:15.497000", "created": "2023-12-06T15:55:15.497000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4582, "FileHash-SHA256": 2374, "CVE": 5, "domain": 3456, "URL": 14212, "FileHash-MD5": 13, "FileHash-SHA1": 13 }, "indicator_count": 24655, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "643746d7f4010b92e37ace06", "name": "those ip's JL v2 all suggested ioc's - Data you got \ud83d\ude1c\ud83e\udd37\u200d\u2640\ufe0f", "description": "", "modified": "2023-04-13T00:03:35.384000", "created": "2023-04-13T00:03:35.384000", "tags": [], "references": [ "g4991d86fdf3941e589ac92d5848b9f8d260d7afe5e9f47839d69fe03b34b062e.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14212, "FileHash-SHA256": 2374, "hostname": 4582, "domain": 3456, "CVE": 5, "IPv4": 311, "FileHash-MD5": 13, "FileHash-SHA1": 13 }, "indicator_count": 24966, "is_author": false, "is_subscribing": null, "subscriber_count": 94, "modified_text": "1145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "carversation.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "carversation.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780290030.2449477 }